1. Field of the Invention
This invention relates to secure and privacy protecting transaction systems, and more specifically to cryptographic configurations including value transfers between pairs of subsystems optionally moderated by a third subsystem.
2. Description of Prior Art
Reference is hereby made to P.C.T. publication WO 89/11762 and U.S. Ser. No. 198,315 filed May 24, 1988 titled "Card-computer moderated systems," by the present applicant, which are incorporated herein by reference. The approach taken there, when applied to consumer payments, might suggest a hand-held personal computer configured to include an independent tamper resistant part, and that tamper-resistant part might take the form of a "smart card."
Reference is also hereby made to P.C.T. publication WO 89/08957 and U.S. Ser. No. 168,802 filed Mar. 16, 1988, titled "One-show blind signature systems," by the present applicant, which are incorporated herein by reference. An approach to consumer payment transactions is taken there that does not require a tamper-resistant device to be held by the payer.
In the context of some consumer payment applications, straightforward adoption of the exemplary embodiments of the above two references leaves room for improvement.
In the approach of the first reference cited above, the previously disclosed exemplary embodiments would require that the card computer and/or the tamper-resistant device make cryptographic-transformations during transactions with an external system. Furthermore, these "while-you-wait" computations, as well as other preparatory computations, would make extensive use of public-key cryptographic techniques, which would be impracticably slow with today's smart cards.
The approach of the second reference above may require quite large messages if its "check" feature is not used; but using that feature means that consumers must conduct refund transactions to recover unspent value, and such unspendable pre-payment may not be attractive to consumers. The approach as a whole, moreover, protects against dishonest consumers only by "accountability-after-the-fact" as opposed to "prior-restraint."
A third approach is the obvious one of applying conventional cryptographic techniques in a smart card that communicates directly with an external system. This does have the advantage of allowing transactions without a moderating card computer, although lack of user trusted mechanisms means that users are unable control transactions, but the transactions may be to some degree monitorable after the fact. A challenge would be provided to the card at the time of payment to indicate the amount of payment and prevent "replay" attacks. The card would return the result of a cryptographic transformation using a conventional key also known to the external system and including the challenge as a parameter. Although all cryptography would be of the conventional type, which is today significantly faster than public key, it would still be while-you-wait.
More fundamental problems with this third approach for general use come from the choice of which keys are available at which locations. If each card has the identical key, then some organized effort that succeeds in obtaining this secret by opening a single card could counterfeit or impersonate cards on a wholesale basis. On the other hand, if cards were to have unique keys, then all transactions involving a particular card could be linked together and the holder's privacy would thus be compromised. Because in any variant of this approach each potential off-line point of payment must have access to keys of all cards, compromise of any one such point would also allow widespread impersonation or counterfeiting.